[arm64] Update "add kernel config option to lock down when in Secure Boot mode" for 4.15

debian/changelog

@@ -1,3 +1,10 @@
+linux (4.15~rc5-1~exp2) UNRELEASED; urgency=medium
+
+  * [arm64] Update "add kernel config option to lock down when in Secure Boot
+    mode" for 4.15
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 30 Dec 2017 16:00:15 +0000
+
 linux (4.15~rc5-1~exp1) experimental; urgency=medium
 
   * New upstream release candidate

debian/patches/features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch

@@ -14,8 +14,9 @@ kernel using the FDT.
 Signed-off-by: Linn Crosetto <linn@hpe.com>
 [bwh: Forward-ported to 4.10: adjust context]
 [Lukas Wunner: Forward-ported to 4.11: drop parts applied upstream]
-[bwh: Forward-ported to 4.11 and lockdown patch set:
- - Convert result of efi_get_secureboot() to a boolean
+[bwh: Forward-ported to 4.15 and lockdown patch set:
+ - Pass result of efi_get_secureboot() in stub through to
+   efi_set_secure_boot() in main kernel
  - Use lockdown API and naming]
 ---
  arch/arm64/Kconfig                      | 13 +++++++++++++
@@ -27,27 +28,6 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  include/linux/efi.h                     |  1 +
  7 files changed, 32 insertions(+), 2 deletions(-)
 
---- a/arch/arm64/Kconfig
-+++ b/arch/arm64/Kconfig
-@@ -1033,6 +1033,18 @@ config EFI
- 	  allow the kernel to be booted as an EFI application. This
- 	  is only useful on systems that have UEFI firmware.
- 
-+config EFI_SECURE_BOOT_LOCK_DOWN
-+	def_bool n
-+	depends on EFI
-+	prompt "Lock down the kernel when UEFI Secure Boot is enabled"
-+	---help---
-+	  UEFI Secure Boot provides a mechanism for ensuring that the firmware
-+	  will only load signed bootloaders and kernels.  Certain use cases may
-+	  also require that all kernel modules also be signed and that
-+	  userspace is prevented from directly changing the running kernel
-+	  image.  Say Y here to automatically lock down the kernel when a
-+	  system boots with UEFI Secure Boot enabled.
-+
- config DMI
- 	bool "Enable support for SMBIOS (DMI) tables"
- 	depends on EFI
 --- a/drivers/firmware/efi/arm-init.c
 +++ b/drivers/firmware/efi/arm-init.c
 @@ -21,6 +21,7 @@
@@ -58,21 +38,19 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  
  #include <asm/efi.h>
  
-@@ -244,6 +245,11 @@ void __init efi_init(void)
+@@ -252,6 +253,9 @@ void __init efi_init(void)
  	     "Unexpected EFI_MEMORY_DESCRIPTOR version %ld",
  	      efi.memmap.desc_version);
  
-+#ifdef CONFIG_EFI_SECURE_BOOT_LOCK_DOWN
-+	if (params.secure_boot > 0)
-+		lock_kernel_down();
-+#endif
++	efi_set_secure_boot(boot_params.secure_boot);
++	init_lockdown();
 +
  	if (uefi_init() < 0) {
  		efi_memmap_unmap();
  		return;
 --- a/drivers/firmware/efi/efi.c
 +++ b/drivers/firmware/efi/efi.c
-@@ -613,7 +613,8 @@ static __initdata struct params fdt_para
+@@ -635,7 +635,8 @@ static __initdata struct params fdt_para
  	UEFI_PARAM("MemMap Address", "linux,uefi-mmap-start", mmap),
  	UEFI_PARAM("MemMap Size", "linux,uefi-mmap-size", mmap_size),
  	UEFI_PARAM("MemMap Desc. Size", "linux,uefi-mmap-desc-size", desc_size),
@@ -84,13 +62,12 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  static __initdata struct params xen_fdt_params[] = {
 --- a/drivers/firmware/efi/libstub/fdt.c
 +++ b/drivers/firmware/efi/libstub/fdt.c
-@@ -134,6 +134,14 @@ static efi_status_t update_fdt(efi_syste
+@@ -158,6 +158,13 @@ static efi_status_t update_fdt(efi_syste
  			return efi_status;
  		}
  	}
 +
-+	fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table) !=
-+				 efi_secureboot_mode_disabled);
++	fdt_val32 = cpu_to_fdt32(efi_get_secureboot(sys_table));
 +	status = fdt_setprop(fdt, node, "linux,uefi-secure-boot",
 +			     &fdt_val32, sizeof(fdt_val32));
 +	if (status)
@@ -101,7 +78,7 @@ Signed-off-by: Linn Crosetto <linn@hpe.com>
  fdt_set_fail:
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -736,6 +736,7 @@ struct efi_fdt_params {
+@@ -749,6 +749,7 @@ struct efi_fdt_params {
  	u32 mmap_size;
  	u32 desc_size;
  	u32 desc_ver;